If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Uses of edge routers?

Newbie to security and currently trying to design my home network. I came across an article that stated edge routers should be the first layers of defense, and then it went on in marketing-hype fashion about Cisco IOS Firewall Feature Set.

This had me a bit confused. Is there any real use to having an edge router? I mean some point out that it relieves the load on the firewall itself, but then the edge router would still be congested wouldn't it? If it does packet inspection / filtering, wouldn't it be acting in similar fashion to a firewall? But quite a few sources say an edge router should be the first layer of defense.

Wouldn't be easier, not to mention less expensive, to not place an edge router and instead have the firewall in its place?

Wouldn't be easier, not to mention less expensive, to not place an edge router and instead have the firewall in its place?

A fair amount of decent routers are inexpensive now. Add to that, most routers don't require any type of configuration for the firewall.
Most routers I've seen have two rules (out of the box):
1) Allow all LAN traffic outbound
2) Deny all WAN traffic inbound
This provides a basic level of protection right out of the box (granted it provides no security for a "leaky" computer). Add Network Address Translation (NAT) to that, and you've got a nice layer of security with basically, no configuration.
As for handling the load, most routers these days are quite adept at handling internet traffic. A router should have no problem handling the traffic of your home network.
Also, while most routers are capable of SPI, I wouldn't just chalk it up as the same thing as a firewall. Routers possess a great deal of other functions outside of monitoring traffic. Overall, I'd say that with the low cost of most routers these days, it wouldn't be a bad idea to get one and use it as the first layer in your perimeter security.

The object of war is not to die for your country but to make the other bastard die for his - George Patton

If you are a home high speed user, you essentially already have this with the cable/dsl modem. Have a look at the ruleset on that device (if you can view it). On mine, it has several default filtering rules and a variety of others. The "High Security" canned ACL set is exactly what Shag pointed out. Inbound deny all. Outbound allow all.

Once you add your SOHO router/firewall device, you have formed a perimeter network between your cable/dsl modem and the outside interface of your SOHO router/firewall and then you have a relatively secure internal LAN behind that SOHO router/firewall. You can tweak and tune accordingly. Do so only if you know what you're up to though.

As pointed out, modern networking gear is VERY capable of keeping up with load.

--Th13

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

I think the assumption is that a firewall is going to have larger ACL lists then a router. The larger your ACL list the more processing power required. So if your firewall were at the perimeter it would see just as much traffic as a router but would use more resources processing it.

This would only be necessary in a corporate environment as the typical SOHO would not have complicated ACL's setup.

There are a couple of ways you can setup layered security for a LAN with publicly accessible resources, such as HTTP, FTP, DNS, SMTP relay, etc... The easiest and more affordable way to do it is buy a firewall with DMZ support. That way, you can put all the public servers inside the DMZ and it will basically act as a dead-end between the public network and the private LAN. Most higher-end firewalls have great support for DMZs, but most of the lower-end simple NAT firewalls don't really bring what’s needed to support medium to large scale enterprises. The basic technology is the same between high-end and low-end firewalls, but high-end firewalls have a lot more features that you can take advantage of in order to make your LAN and DMZ more secure from each other. A true DMZ doesn't allow any traffic from the DMZ to enter the LAN zone; however the LAN zone can access the entire DMZ.

The other way you can do it, if you can't take advantage of built-in DMZs, is to have two firewalls; one that is in-front of the other. That way, you can create a type of physical DMZ if you will that has the public servers running behind the first standard firewall with the private LAN on the other side of the second more high-end firewall. In both cases you are accomplishing the same task, separating the public resources from the private resources. If you don't need to have any public resources, then all you need is a good firewall in-front of the LAN...or you can throw in the dreaded "honeypot" behind that firewall for noob hackers . Many times people like to try and attack the DMZ which is all fine and dandy, but the real prize is the LAN that sits right next to it untouched . That is why you should always get a decent dedicated firewall.

I guess I should've clarified some things. I'm aware of the low cost of consumer routers and such as well as the default settings, but from a network design point of view, aren't edge routers redundant? For instance, some sources state that the design should start out like so:

Internet --- Edge Router --- Firewall --- Router ( Internal Network )

Now what is the value of the edge router there? I'll just argue my thinking against the "advantages":

1) Relieves load on firewall :
Ok so what? Even if you relieve the load on the firewall, the edge router is still picking up that same load. If lets say a DDOS attack locks up a firewall, wouldnt it do the same for an edge router with ACL?

2) Acts as a choke point:
Well the firewall without an edge router in front of it acts as a choke point too. Again if any attacks were to lock up a firewall....yada yada yada.

3) Another layer of security:
Isn't this more of an additional layer of headache? Support for another additional piece of hardware. Although I would be wrong in this case if the above were wrong also.

As for the DMZ, well there is a 3rd way if the firewall doesnt have a 3rd port. I havent tried it myself, just on paper. A VLAN could be set up with some ACL's that can act in a similar manner as a firewall with a 3rd port for the DMZ.

Hi,
I think there is a slight confusion in terms. Normally, for me, the edge router is nothing more than the last network element on your network before you go to the public network(internet). You can have a firewall on it or behind it. For example my edge router is my old linksys. It has a built in firewall and a DMZ. The performance are more than adaquate for my home network.

\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)